The latest Tails 3.0.1 update has been running great on my 2008 MacBook and 2009 MacBook Pro, and for the first time actually completes the entire shut down sequence properly, so I no longer have to manually power the machine off. This is hands-down the best version so far.

Many flash drives do not play well, if at all, with Tails. The ones pictured above have consistently worked well for me, the first 3 are by Kingston, the fourth from Transcend, and the last is a Gorilla Drive I found from EP Memory. The Transcend has the smallest form factor and only sticks out about 7/16" from the side of the computer.

The various San Disk, Lexar, Samsung, and Silicon Power flash drives I have tried do not work with Tails, although San Disk's SD cards have worked well.

Chances are running Tor even on a VM is going to be much better than using a browser on windows as 95% of spyware and the like probably is not that sophisticated even though a lot of spying is going on.

Remember, do not ever use this on any computer associated with you or any of your locations, (home, work etc) Complete separation is required, you basically have to create a separate "you" that never crosses the real you.

If you just want more privacy on computers you own, a VPN and Tor work great. Never use public wifi without a VPN though.

Remember, do not ever use this on any computer associated with you or any of your locations, (home, work etc) Complete separation is required, you basically have to create a separate "you" that never crosses the real you.

If you just want more privacy on computers you own, a VPN and Tor work great. Never use public wifi without a VPN though.

I understanding the technical reasons, but not the methodology.

Why can't you test our TOR on a personal machine you own? I agree for true OPSEC, like transmitted leak classified documents and actual stuff you wanted to keep secret should be done with layers on anonymity. Go to an internet cafe, pay cash, etc.

The USB OS is stateless. Anything you do while it's booted is volatile and disappears upon shut down. So that USB should have no evidence that it was booted up from your laptop.

TOR does not hide your MAC address which can be traced to your network location and then used to identify your specific computer. TAILs at least uses a fake MAC that can't be positively connected to you, but it still can give away your location.

Find a digital copy of Kevin Mitnick's book The Art of Invisibility, and give it a read. He was a world famous hacker who got caught, and is now a penetration tester.

You have to choose security or convenience you can not have both, for some people TOR, or TAILS on a personal computer is enough, as long as you understand the limits of your decision.

BTW Nord VPN service is great. I have been very happy with them. Working great off my phone and home/work computers. While in China for 2 weeks this summer, it was the only way I could connect to sites that the Chinese .gov blocks.

TOR does not hide your MAC address which can be traced to your network location and then used to identify your specific computer. TAILs at least uses a fake MAC that can't be positively connected to you, but it still can give away your location.

Find a digital copy of Kevin Mitnick's book The Art of Invisibility, and give it a read. He was a world famous hacker who got caught, and is now a penetration tester.

You have to choose security or convenience you can not have both, for some people TOR, or TAILS on a personal computer is enough, as long as you understand the limits of your decision.

BTW Nord VPN service is great. I have been very happy with them. Working great off my phone and home/work computers. While in China for 2 weeks this summer, it was the only way I could connect to sites that the Chinese .gov blocks.

I think your IP address is different. That probably comes from your service provider or whatever network you are on .. However, some kind of malware/spyware would be needed to get your mac address I suspect. Although your mac address is visible within your local network it would appear. I don't think your mac address is needed to spy on you unless you use your computer in a stealth type of way such as only using a specific laptop for specific purposes and not using it on your home network etc .. James Wesley Rawles says have a computer that you only use at libraries 20 miles from your house, which is kind of inconvenient

My guess is that your ISP can help others spy on you based on the mac address and they have access to that info. It's been in the news it seems that ISPs have been allowed a lot of leeway in collecting and sharing your info. When yo are out on the web, you machine appears as an IP address but your ISP probably can map that to your mac address and probably they share that with certain companies who then provide that service to others

The MAC address is only visible on your local network. You don't need to hide it.

With Tor or without Tor, as soon as the packet reaches your default gateway, that computer sitting between you and the next network segment, your MAC cannot be seen anymore.

But if someone tries very hard to trace you, a special crafted website can get your MAC by exploiting your browser, executing some commands on your computer and get all kinds of information from the computer.

But this does not have anything to do with Tor nor no-Tor nor MAC address.

If you have your own firewall which provides DHCP service and NAT for your devices, your MAC address is not in a DHCP request or router syslog going to the ISP.

If the ISP provides the router or manages a customer owned router, they certainly know the MAC address of that router. If that router is providing DHCP service or is acting as a bridge to provide IP addresses for your devices from a centralized DHCP server, the MAC address and the IP address (metadata) are logged. Additionally, your MAC address may be included in your IPv6 address. The DHCP logs and router syslogs can be obtained via a subpoena under CALEA, USA PATRIOT ACT, and/or The Homeland Security Act of 2002 by any law enforcement agency, even the dog catcher or child protective services. For legal compliance, many ISPs outsource their subpoena processing to Neustar, which uses SS8 Networks’

Somewhere between versions 3.3 and 3.8, Tails (or the latest firmware updates) became incompatible with all of the Macs that previously ran it. The USB sticks all hang midway and DVD images won’t even begin to boot. Apparently it’s a known issue without a clear solution beyond trial and error.

Not sure it’s worth buying a cheap Windows machine for running a slow OS that I don’t use for serious stuff, but I might give it a go.

Not sure it’s worth buying a cheap Windows machine for running a slow OS that I don’t use for serious stuff, but I might give it a go.

So, I tested some sub-$200 dollar "burner notebooks" for compatibility with Tails and a few different Linux distros. It's kind of amazing just how much computing capability is available for so little these days, but even then these machines have to cut corners somewhere and some do a better job than others.

The first deficiency that was painfully obvious for all of these machines, right out of the box, was the typical 32Gb eMMC internal storage that comes installed at this price range. None of my samples allow this 32Gb size to be upgraded by the user and only one had an open space that allowed the addition of a 2.5" SATA drive. The painful part comes when performing the first update of the Windows 10 software these notebooks come with, because they don't have enough free space to complete the most recent 1804 feature upgrade. Supposedly there are ways to offload some storage to the cloud or a USB drive, but I didn't have any luck and decided to experiment with Linux instead. I did eventually go back and download the 1804 iso, burned it to DVD, and was able to do a clean reinstall that registered Win10 to my Microsoft account on all the machines. Minus the OEM crapware these things come out of the box with, the reinstall left about 13Gb of free space remaining, which might be enough to do light duty web-centric tasks, kinda like a Chromebook. All but one notebook used a version of Windows called 10S, which only allows you to install apps approved by Microsoft, although when I reinstalled from DVD they came up on my online account registered as Windows 10 Home, without any of the lockdown features of 10S.

These all came with 4Gb of RAM, which was not obviously user upgradeable. And all but the HP had an HDMI port.

This was the second smallest of the five, but the most sluggish and loaded down with crapware. It's WiFi isn't supported by Tails 3.8 or 3.9, and there's no ethernet jack, so getting online is problematic. There's only two USB jacks, but Tails won't boot from the faster 3.0 one. There's a mini SD slot, but none of the computers I've used lately are able to boot Tails from SD currently. Battery life seems to be no better than 5hrs. Keyboard is cramped, but fairly useable, and there's a Caps Lock light that come in handy when trying to figure out why you suddenly forgot the password you just encrypted the disk with. The camera is junky, but able to read QR codes within the Electrum Wallet app in dim light. A lightweight Peppermint 9 Linux distro worked great, leaving 22Gb free after installation, had WiFi driver support, and was significantly quicker to use. Linux Mint Mate didn't have WiFi support.

I also received the 14" iteration of this HP laptop, which was fortunately missing a couple of keys and gave me an excuse to send it back to Amazon for a refund.

This is the only AMD processor of the bunch. It eventually boots Tails 3.9 and supports WiFi, but didn't with 3.8 or Linux Mint. It runs Peppermint fine (everything seems to like Peppermint), but is kind of sluggish with Ubuntu. There's ethernet, USB C, 3.0, 2.0, and regular SD jacks. The keyboard is pretty close to normal size, but laid out such that I kept hitting Caps Lock without knowing it and couldn't figure out why I couldn't remember my password. The camera is slightly better than the HP. The battery life is the worst at <5hrs. The only redeeming feature of this laptop is the accessible 2.5" bay for upgraded storage. I put in an SSD and am in the process of downloading the bitcoin blockchain and will probably wind running this as full node in place of the old MacBook Pro I'm using now.

This is the same size as the above ASUS, but performs better in every area except internal storage expansion. It runs Tails great, as well as everything else I tried, and there were no issues with WiFi. The screen and camera seem to be the best of this bunch, as is the keyboard and trackpad. The battery life really is 9 hours, easily 2-3 times of the similarly sized ASUS. Besides lacking USB C, it has the same jacks as the ASUS, too.

This little ASUS is definitely the ideal "burner laptop" in terms of size, performance, and cost. This was the only unit that came with 64Gb, which allowed it function the best in Windows. Tails and Linux run great, without any WiFi or camera issues. Battery life is 10 hours and the screen and keyboard are surprisingly functional despite being the smallest of the bunch. It has two USB 3.0 and one USB C jacks, as well as a micro SD slot, significantly better than the slightly larger HP. This BIOS was also the easiest to navigate and change. This one also automatically updated me to Windows 10 Pro when I did a clean install from DVD.

In looking back at Amazon while writing this up I noticed that several of these are now listed above $200, but the prices I listed are what I paid for them within the last two weeks.

Pick up a used/refurbished Lenovo T420 off of Ebay. I decided I was sick of the crappy cheap Windows laptops and I needed something better for my school PC. I slapped in a new SSD for about $80 and this sucker screams with Linux on it.

Not sure how it would run with TAILS, but probably not bad.

If you can find one at a local used computer store, you could pay cash and there wouldn't be a paper trail.

Tails 3.9 still won't boot my 2010 15" MacBook Pro, but has decided to work with my 2009 13" MacBook Pro again. And pulling the USB out of the machine properly initiates the Tails shut down sequence and memory wiping, which is the first time that's ever happened for me on a Mac. The bundled Electrum 3.1.3 wallet still can't use the camera, though, which isn't too surprising as Electrum 3.2.3 isn't able to use the camera from macOS, either. The 2013 MacBook Air will boot Tails off some thumbdrives, but still doesn't support WiFi.

All my SanDisk thumbdrives, including the previously problematic "Cruiser" types work with Tails now, as does my Silicon Power.

These from Verbatim are essentially the same drive and work very reliably with Tails, albeit slowly, and their small form factors and "clothing" make for some interesting carrying possibilities.

This Corsair works extremely well (just not on Macs), but the Transcend still remains my all-around favorite.

I can no longer get any machine to boot Tails from SD cards from SanDisk, Kingston, Transcend, or anything else I've tried.

I discovered Tails includes software for splitting a secret using the cryptographic technique known as Shamir's Secret Sharing Scheme, or SSSS. Tails is ideal for this type of procedure since by default it airgaps the machine from the internet nor leave any trace of activity after shutdown.

This method allows one to break up a secret string, up to 128 characters long, into multiple parts and specify how many parts are necessary to reconstruct the secret. The total number of shares is designated n and the minimum threshold of shares necessary to reveal the secret is t. So a t=3, n=5 scheme would split the secret into 5 separate shares, which can be distributed and stored in separate locations, with a minimum of 3 shares needed for unlocking the secret again.

An example of the terminal commands and outputs for a 2 of 3 secret share where t=2 and n=3:

At the prompt type: ssss-split -t 2 -n 3

which returns the following prompt: Generating shares using a (2,3) scheme with dynamic security level. Enter the secret, at most 128 ASCII characters:

Type or paste the secret (the characters will not be displayed on the screen so be careful): My Secret Password

Three lines are then generated on the screen, these are the shares to be distributed or stored: 1-b54b2d9b04bde7982e9b554ebb181668003d 2-83c551606fb0586b51ebfbd1ef35d562269e 3-91bf7ac9494b32c584c461a4dcd16b9bc4fd

To regenerate the secret, type the following: ssss-combine -t 2

the following instruction is displayed: Enter 2 shares separated by newlines: Share [1/2]:

type or paste in one of the shares: 3-91bf7ac9494b32c584c461a4dcd16b9bc4fd

which then prompts: Share [2/2]:

type or paste a second share: 1-b54b2d9b04bde7982e9b554ebb181668003d

which outputs: Resulting secret: My Secret Password

A very important detail to remember is that, unlike with a hashing function like SHA256, each time you perform a split operation on the same secret it will produce different shares, which won't be compatible with other instances. This means that if you follow my exact instructions on your own machine it will output three different shares for the My Secret Password phrase. However, you should be able to combine any 2 of the 3 shares I produced above and correctly reveal the secret.

Also, I find that a text editor is necessary to compose, record, and track the inputs and outputs in the terminal. But this requires extreme care with copying and pasting between them, it's really easy to screw up. Be sure to test that the shares produced are recoverable before distributing them.

I've been using Tails on and off for some time, but not very often for online use. Online I usually use the TOR browser. I use Tails primarily offline to do things I don't want traces of left all over Windows. I keep it installed on 2 usb flash drives, one at the latest version and the other an older 32 bit version for an old machine I have. I never knew about the splitting feature but will have to check into it. Reading the previous post the first thing that popped to mind was using the splitting feature to store crypto currency keys, or giving a few people a split piece that can be put back together if needed. I haven't read up on the split feature so I am only guessing at uses- but it sounds interesting.

Reading the previous post the first thing that popped to mind was using the splitting feature to store crypto currency keys, or giving a few people a split piece that can be put back together if needed. I haven't read up on the split feature so I am only guessing at uses- but it sounds interesting.

That's what brought SSSS to my attention.

But using this scheme with crypto has some problems (mostly due to the lack of clearly defined standards and the difficulties inherent to securely handling long hex strings) that I haven't worked through adequately, yet.

Most experts are recommending that the mnemonic seed phrase be used as the ultimate crypto backup, as it can regenerate all addresses produced by that seed in standard HD wallets. But turning a more easily managed seed phrase into strings of hex gibberish kind of defeats the purpose of using a mnemonic. The other problem is that most HD wallets default to a 24-word seed, which won't fit in the SSSS 128-character limit, unless you utilize the numeric decimal index (ie. there are 2048 seed words on the BIP39 wordlist, so each word could be referenced as a 4-digit number) instead of the word, but then you get into issues of whether the parties regenerating the key or phrase understand what was actually used to generate the shares.

This guy has come up with an interesting hybrid system where a seed phrase is split using a custom SSSS implementation that outputs shares in bip39 words: https://iancoleman.io/shamir39/

But he's the first to admonish against using his system because it's not standardized and you will be dependent on his implementation.

Which brings up another issue with SSSS. It's not really a standardized system, either. The implementation used in Tails has been around since 2006 and may be the closest thing to a standard that there is right now.

I still havent looked into this, but coincidentally while driving I was listening to old podcasts of Security Now and there were a few episodes on cryptography. One used a corporate example dealing with the issue of loosing a master key and how to spread the key among multiple people so that no individual has access without a number of others. I have to listen to the episodes again since I only understand an overview at this point. There are also text files you can download for each episode which I should download for myself. 99% of my podcast listening is while driving so I can't always give them the attention needed. If interested they are at GRC.com from 2006 if I recall correctly. Basically unbreakable encryption exists if taking billions of centuries to brute force is considered unbreakable.

As with the Enigma Machine, the greatest weakness is human errors. Enigma did have some weakness in it's design as well. If it's still around there was a project, Enigma@home that used distributed processing to crack actual WW2 Enigma messages. The last remaining unencrypted messages have been cracked. There is an Android equivalent of Enigma you can play with.

If whatever needs to be encrypted is valuable enough to justify the cost, Apricorn sells an interesting Aegis Secure Key. Too many features to list but basically a usb drive with built in keypad. A computer won't even see it to mount unless unlocked from the keypad, first so an 'attacker' must have the physical key and brute force via it's keypad in a few tries before data is wiped. A well encrypted backup of the device should be kept!

If whatever needs to be encrypted is valuable enough to justify the cost, Apricorn sells an interesting Aegis Secure Key. Too many features to list but basically a usb drive with built in keypad. A computer won't even see it to mount unless unlocked from the keypad, first so an 'attacker' must have the physical key and brute force via it's keypad in a few tries before data is wiped. A well encrypted backup of the device should be kept!

Have you used it?

I’ve played with the software-encrypted drives from Kanguru but the fact that they have an option for cloud management of the keys makes me suspicious of a backdoor. They don’t play well with Linux or Tails, either.

Yes, Steve Gibson is a wealth of info. The crypto podcasts started off using a decoder ring to get the basics down. Kind of reminded me of Einstein explaining relativity with a ball dropping from a moving train.

Yes, after much thought, and looking at other alternatives I did buy a secure key. For one thing I was hesitant about having a keypad on the drive. Once I got it and stated to set it up my hesitation on the keypad was eliminated. The keys have a good solid feel to them. I got the one that has a slide on cover which protects the unit when not in use. When I carry it I keep it tethered with a cord to a belt loop and the drive in a pocket, so the cover helps keep the device clean and from unnecessary wear on key markings. The built in battery was another concern, but if it goes dead (mine hasn't) a short while plugged into a USB port will start charging it back up. As noted, it can get quite hot while in heavy use, but aside from an occasional virus scan I don't put heavy use on it. The keypad is on the small side. I can use it ok with a little care, but for someone with large fingers a pencil eraser would probably be helpful. All in all I like it. I have no concern about it's contents being safe if I were to loose it. A few tries to access it and the data will be gone. I keep a few programs on it, truecrypt and a couple others- not because I encrypt what's on the drive (but you can) but just for an extra copy in case.

After much thought and research I decided the key was the best answer. Previously an old Windows7 laptop with unnecessary software deleted and air gapped to never touch the internet was my solution. From work and Steve Gibson I know physical security is most important, and that laptop was mostly unattended.

Apricorn's site has a lot of info, but if you have any questions I'll try to answer them. BTW, it is a little wide so if you have 2 usb ports close together you probably wont be able to use one. I have a few standard usb drives that do the same thing so that is not unique to the key.

Gibson is great for practical tips and tools for online privacy and security. But for underlying theory, I highly recommend The Code Book. Singh presents the cat-and-mouse history of secret communications and explains the fundamentals of cryptology in an easy to understand way. One-time pads, cracking Enigma, PGP, quantum computing, it's all explained here for the non-mathematically inclined.

Thanks for the book links, I'll add them to my next order. I just updated my Tails usb drive to the latest level even though I dont really use it online. After the update I used it to try logging into TSP and the IP got blocked as spam. I've had that happen with a number of other sites too. Usually I dont bother with sites that block my apparent IP or present a captcha (sp) challenge, I just move on. There are so many online sources for everything- except for TSP.